The Allure of Red Teaming and Pentesting
I’ve been mentoring some folks new to cybersecurity for about a year now. I also stay pretty active on infosec Twitter and Linkedin. I see a lot of people who are interested in infosec focus on offensive skills and certifications required for pentesting and “hacking.”
I think about this often because it’s already hard enough to break into the industry with the gatekeeping that happens. I don’t want new folks to make it harder on themselves by spending time on skills that are not used as much as they think they are. It’s almost like college. You’re required to take Calculus and Chemistry. But how often have you used Calculus and Chemistry in the job you currently have?
I’m not saying these skills and certs are not important. There are pentesting jobs. There are people who make a living from bug bounties. But this is the minority in infosec. The majority of jobs are blue team/defense jobs.
But what about “Learning how to hack a system will help me protect it better.” Yes, it does. A lot of red teamers make great defenders but most of them have been in the infosec industry for years or have years of general IT experience. This is not what someone new to infosec should be thinking. Maybe if you’ve been in IT for a while but definitely not if you’re “new” new.
So what should you be focusing on if not pentesting and hacking skills? A lot of organizations have immature cybersecurity postures. You may be the only or first security hire. You may be part of a team of 2 or 3 analysts to protect the entire organization. How would you protect them? What policies would you put in place? This is not an all-inclusive list but this is where I would start if I was new.
Yes, email. Try as we may, email is still the primary method of communication for many enterprise organizations. As a result, email is also the primary vector for attack. If I started working for a company and they did not have an secure email gateway (Microsoft Defender for Office, Mimecast, Proofpoint, etc…), this would be the first thing I would implement.
Most organizations use Office 365 as their main email provider. Office 365 does come with Exchange Online Protection (EOP) included. You should understand how this works and, most importantly, how to configure rules for exclusions. There will always be someone asking for a domain or a sender to exclude from a security control. Should you allow the single email, the sender, or the entire domain? These are questions to ask and answer based on the amount of risk the organization is willing to assume.
EOP is great since it’s included but the next thing would be to implement an advanced email security gateway. Microsoft Defender for Office is great because it works for emails and all desktop Office applications. And you can play around with the settings in a developer Microsoft subscription which includes the top level E5 product included and 25 users licenses.
With your developer subscription, you can add a custom domain to it too. Learn how to config DMARC, DKIM, and SPF. Know why this matters.
If your org already has email, you should verify these settings. Auditing and analyzing rules and tools that are already in place when you get to an organization is just as important as understanding why and how to implement a security tool.
The cliché saying these days is “Identity is the new control plane.” But it’s true. Legacy as it may be, many enterprise organizations still use Active Directory. Having an understanding on the built in roles and security groups (Domain Admins, Account Operators, DNS Admins, etc…) is important. Scoping out Role Based Access Control (RBAC) for administrative and privileged access is extremely important.
There’s a TON to unpack for Active Directory but understanding the basics and how to scope roles is a good place to start. You can build your own domain controller lab with free 180 day evaluation copies of Windows Server.While you’re at it, you should install AD sync on a server and sync it with your developer Microsoft subscription.
Understanding how AD syncs with Azure Active Directory is also important. While using AD sync is not a requirement for O365, because most orgs still use on-prem AD for identity and the primary directory, user objects are generally created in an on-prem AD and sync’d to AAD to assign a license to.
And of course, you’ll need to understand how identity works in the cloud. Scoping out RBAC for Azure admin roles, single-sign on (SSO), and multi-factor authentication (MFA) should all be part of the basics to understand. If your org doesn’t use Azure for an identity provider (IDP), SSO knowledge will still transfer over. You should understand how to implement SSO for a SaaS app. You can do this using your developer Microsoft subscription and another developer SaaS app like Salesforce or Box.
Finally, my last buzzword: zero-trust. Organizations use to secure corporate data and resources behind firewalls and VPN’s. But now with SaaS apps, corporate data is everywhere on any device. People want to access their email, documents, and applications on the device of their choosing in the place of their choosing.
Device management is one of the most important aspects of blue teaming there is. You should understand how device management works for multiple operating systems. You should understand how to protect corporate data if it’s accessed from non-managed (personal systems). There are often so many holes in defenses at organizations because of today’s modern IT world.
Again, in your developer Microsoft subscription, it comes with a full E5 license for all the security things (Microsoft Cloud App Security, Intune, Information Protection, Compliance, etc…) You can join devices to Azure AD for all the operating systems and push out configuration profiles and compliance profiles. Learn about what settings work and why you should block or allow them.
Would you allow the use of 3rd party keyboards on Android devices? Would you allow iCloud document sync? Would you allow screenshots? Again, these are questions you should be asking and answering based on the risk an organization is willing to assume.
Each one of these topics are a mile deep and you can learn the ins and outs of each one. But it doesn’t stop there. There’s vulnerability management, Data Loss Protection (DLP), Application Security, Privileged Access Management (PAM), internal phishing programs, and the list goes on.
If you’re new to infosec, I urge you to focus on defense rather than offense if your goal is to get into the industry. If I was a hiring manager, I would look at someone who has built a lab to learn about these technologies rather than someone with a Pentest+ or OSCP certification to help secure my company. If your passion is pentesting and hacking, more power to you. I hope you find a red team job that you can enjoy and make a living from.
Thanks for reading and reach out if there are any questions or comments!